Tried that and get the same error ..

HTTP Status 400 - Unable to process request

type Status report

message Unable to process request

description The request sent by the client was syntactically incorrect.

VMware vFabric tc Runtime

Weird... everything else seems ok.

SSO logs has this

DEBUG: com.vmware.identity.samlservice.impl.CasIdmAccessor - getCertificatesForRelyingParty https://test.com/vcac/org/test/saml/websso/metadata

DEBUG: com.vmware.identity.samlservice.impl.CasIdmAccessor - Caught exception java.lang.IllegalArgumentException: The validated object is null

DEBUG: com.vmware.identity.samlservice.impl.CasIdmAccessor - getIdpEntityId

DEBUG: com.vmware.identity.samlservice.impl.CasIdmAccessor - getAcsForRelyingParty https://test.com/vcac/org/test/saml/websso/metadata, index null, URL null, binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

DEBUG: com.vmware.identity.samlservice.impl.CasIdmAccessor - Caught exception java.lang.IllegalArgumentException: The validated object is null

DEBUG: com.vmware.identity.samlservice.AuthnRequestState - Caught exception while generating response java.lang.IllegalStateException: BadRequest, will return 400

INFO : com.vmware.identity.BaseSsoController - Responded with ERROR 400, message Unable to process request

As GMCON stated... config check.

Time's good between SSO and VCAC?

We had some issues with authentication in tenants in 6.1 that were fixed with this KB... even though the KB didn't have the actual error we were facing...

VMware KB:    VMware vCloud Automation Center 6.0.x tenants are inaccessible and identity stores dis...

http://www.viktorious.nl/2014/06/10/vcac-prevent-tenants-become-inaccessible-due-expiring-sso-intern...

As an architectural approach, we dumped the idea of sub tenant and decided we would manage tenancy through separate appliances.  It was an "eggs in one basket" decision as much as a decision around product stability.  Running out of the default tenant has reduced the complexity and made things a little more manageable for us.  I would be interested in hearing your experiences as you go along in multi-tenant fashion.

Sean

Time is correct, we're using an NTP server.

I'm not sure what sort of configuratoin could be wrong.  This is a fresh install in an distributed setup.  Load balanced vCAC appliances, Iaas Web components and Manager services.  I'm not having any issues other than being able to login to a newly created tenant.  Albeit, I can't do much until I can do that  

Can you expand on your model with separating with appliances?  Are you using a separate setup per tenant or literally just separate vcac appliances per tenant?  How would that work?

If you are using a distributed environment then when you access the sub tenant are you accessing through the Load balancer URL?  Are you able to access the default tenant through the load balancer URL?  Is your load balancer setup correctly for session affinity not only for the IaaS web components and also the appliances?  I have done multiple configs with a HA deployment with Load Balancer and that is where many configs end up going wrong.

Re time... we are also using NTP server, but time wasn't syncing when set up through the admin pages at one point. If you have not done that KB, I highly recommend it.  Even if it doesn't resolve this issue, you will need it.

We built three environments for one tenant: LAB, TEST, DEV.  The latter two are distributed, LB/HA across all stacks, off server DBs for both postgres and MS SQL.

In 6.0, we had started out with a multi-tenancy design across all three.  We rebuilt completely with 6.1, both for enhancement to the distributed model and in order to run directly out of the Default tenant (which has native AD....sub-tenants have LDAP only).

We are going to duplicate the setup for other tenants.  (run out of default tenant e.g. https://vcacvip/vcac)  But that is based out of our business direction, so yours likely varies.  If we had hundreds of smaller tenants, the model wouldn't work very well. But we figure, if we need to stand up a multi-tenancy design, we can do it when there is demand to do so.

What does your tenancy design look like (if you don't mind sharing)?  e.g. Would each of your tenants have a different AD domain? A VCO server for each?  Are you leveraging ASD?

I've made some success, slightly.  I'm now able to hit the proper URL for a new tenant, where as before I couldn't.  I ended up re-doing the SSO cert.  I think my issue was I had been copy/pasting commands and when I actually typed them out, it actually let me apply the cert which I wasn't able to do before.

However when I try to login now, I'm geting a 404 error.  So I'm still stuck lol.  I can't find any logs to even help me troubleshoot.  vCAC logs are showing nothing and going off the article below, I can't even find any of the log folders either..

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=207480...

Hello. Have you tried differents web browsers?. I use to had that problem and installed Firefox and Chrome and when one failed to let me in, i used the other one. Hope it helps!